GHA: permission token #2 #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Upload | |
| on: | |
| push: | |
| branches: | |
| - sc-ddt-gha | |
| # - master | |
| # - release | |
| # - 'sc-*' | |
| env: | |
| APP: "apidocs" | |
| APP_RELEASY: "webapp-apidocs" | |
| S3BUCKETCACHE: "aplazameshared-jenkins-cache" | |
| BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
| AWS_PROFILE: "AplazameSharedServices" | |
| AWS_REGION: "eu-west-1" | |
| S3_BUCKET_STAGING: apidocs-staging.aplazame.org | |
| S3_PATH_STAGING: build/staging | |
| S3_BUCKET_PRODUCTION: aplazame.dev | |
| S3_PATH_PRODUCTION: build/prod | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| build-and-upload: | |
| environment: ${{ github.ref_name == 'master' && 'staging' || github.ref_name == 'release' && 'produccion' || github.ref_name == 'sc-*' && 'ephemeral' }} | |
| runs-on: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/master' || | |
| github.event_name == 'pull_request' && github.event.pull_request.base.ref == 'master') | |
| && vars.AWS_RG_NAME_PRO || vars.AWS_RG_NAME_NONPRO }} | |
| env: | |
| ENVIRONMENT: ${{ github.ref_name == 'master' && 'staging' || github.ref_name == 'release' && 'prod' || github.ref_name == 'sc-*' && 'ephemeral' }} | |
| OUT_DIR: ${{ github.ref == 'refs/heads/master' && 'build/staging' || github.ref == 'refs/heads/release' && 'build/prod' || startsWith(github.ref, 'refs/heads/sc-') && 'build/staging' }} | |
| S3_BUCKET: ${{ github.ref == 'refs/heads/master' && vars.S3_BUCKET_STAGING || github.ref == 'refs/heads/release' && vars.S3_BUCKET_PRODUCTION || startsWith(github.ref, 'refs/heads/sc-') && 'ephemeral-environments' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f #v6.1.0 | |
| with: | |
| node-version: 16 | |
| cache: 'npm' | |
| - name: Instalar dependencias Make | |
| run: | | |
| npm install --g yarn | |
| sudo apt-get update | |
| sudo apt-get install -y make build-essential | |
| make install | |
| - name: Configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 | |
| with: | |
| role-to-assume: ${{ github.ref == 'refs/heads/master' && vars.AWS_OIDC_ROLE_TF_PRO || vars.AWS_OIDC_ROLE_TF_NONPRO }} | |
| role-session-name: ${{ github.run_id }} | |
| aws-region: ${{ vars.WZ_OIDC_AWS_REGION }} | |
| - name: Build Make | |
| run: make build | |
| - name: deploy to S3 Bucket | |
| if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/release' | |
| run: | | |
| aws s3 sync ${{ env.OUT_DIR }} s3://${{ env.S3_BUCKET }} --acl private --cache-control 'private, max-age:3600' --delete | |
| aws s3 cp ${{ env.OUT_DIR }} s3://${{ env.S3_BUCKET }} --recursive --exclude '*' --include '*.html' --acl private --cache-control 'no-cache, no-store' | |
| - name: Deploy to ephemerals - Branch SC | |
| if: startsWith(github.ref, 'refs/heads/sc-') | |
| run: | | |
| aws s3 sync build/staging s3://ephemeral-environments/${{ env.APP }}${{ env.BRANCH_NAME }} --acl public-read --cache-control "private, max-age:3600" --delete | |
| aws s3 cp build/staging s3://ephemeral-environments/${{ env.APP }}/${{ env.BRANCH_NAME }} --recursive --exclude '*' --include '*.html' --acl public-read --cache-control 'no-cache, no-store' | |